Virtualization and cloud computing are rapidly becoming critical tools in the arsenal of CIOs. Virtualization enables more efficient use of existing IT resources. Even more important for the business units that a CIO supports, virtualization enables IT to respond rapidly to requirements for new server and application deployments. Cloud-based offerings are also critical, as they enable rapid sourcing of additional IT resources and support business unit migration toward a variable cost model, in which cost increases and decreases track to changes in demand, thus providing a more predictable cost structure.

Beyond the responsibility to being responsive to business units, in many organizations CIOs also have an oversight role, assessing and advising business units on the risk levels of their technology strategies and implementing solutions that manage risk in accordance with the risk profile adopted by the corporation.

Virtualization and cloud computing services, which enable IT to be more responsive to business unit demands, bring with them the potential for additional risk. Not everything that can be done with new technologies should be done. The same technologies that enable a business to be agile may also undermine a previously well-designed disaster recovery and business continuity plan. The CIO’s responsibility for responsiveness must be balanced with the responsibility for risk management. Ultimately, the assumption of risk, which is inherent in all business, is a business management decision, but, as Tony Scott, CIO at Microsoft, stated in an interview published in the Disaster Recovery Journal, the CIO must:

Create awareness of potential areas of risk,

Assess those risks and help the organization think about and quantify risks (and) what they represent,

Have plans to address and mitigate (risk) in the most effective way,

Have continuous feedback on how (the company is) doing against plans and gauging the effectiveness of those plans.

Ultimately, virtualization and cloud-based services will become a key part of a company’s ability to move from a disaster-recovery mindset to a continuous-operations basis. As Tony Scott stated, “Fear as a motivator is not good in this area,” but the ability to be up and running 24-by-7 may be." Until a continuous business operations infrastructure is achieved, high-visibility scorecards of disaster recovery capabilities and assumed operational risk are critical to driving business-unit awareness.

Action Item: CIOs should embrace virtualization and cloud computing to drive down operational costs, enable an infrastructure that is more responsive to business needs, and shift the corporation to a more variable-cost model. This should not be done, however, without first developing a plan for assessing operational risk and the impact on disaster recovery and business continuity.

Comments on 'The CIO's Risk Management Role in the Adoption of Virtualization and Cloud Services'

Excellent piece. I think the real issue here is quantifying the new risks that virtualization and cloud computing introduce versus the benefits they provide. And in doing that analysis, the CIO should not forget to include the reduction in some traditional risk levels that the new technologies provide. For instance, cloud computing introduces risk associated with some loss of control of data and the possibilities of network connection failures. However, it may decrease the risk of hardware failures if the provider spreads operations over multiple data centers in different locations.